[....] Starting enhanced syslogd: rsyslogd[   12.727570] audit: type=1400 audit(1513020917.143:5): avc:  denied  { syslog } for  pid=2998 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.190979] audit: type=1400 audit(1513020938.606:6): avc:  denied  { map } for  pid=3143 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-net-kasan-gce-3,10.128.0.32' (ECDSA) to the list of known hosts.
executing program
[   40.304427] audit: type=1400 audit(1513020944.720:7): avc:  denied  { map } for  pid=3155 comm="syzkaller279273" path="/root/syzkaller279273760" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.307944] ==================================================================
[   40.307957] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270
[   40.307962] Read of size 8192 at addr ffff8801c4c5ed58 by task syzkaller279273/3155
[   40.307965] 
[   40.307971] CPU: 1 PID: 3155 Comm: syzkaller279273 Not tainted 4.15.0-rc2+ #149
[   40.307975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.307978] Call Trace:
[   40.307986]  dump_stack+0x194/0x257
[   40.307995]  ? arch_local_irq_restore+0x53/0x53
[   40.308006]  ? show_regs_print_info+0x18/0x18
[   40.308012]  ? __lock_is_held+0xbc/0x140
[   40.308023]  ? pfkey_add+0x1634/0x3270
[   40.308032]  print_address_description+0x73/0x250
[   40.308038]  ? pfkey_add+0x1634/0x3270
[   40.308045]  kasan_report+0x25b/0x340
[   40.308055]  check_memory_region+0x137/0x190
[   40.308062]  memcpy+0x23/0x50
[   40.308069]  pfkey_add+0x1634/0x3270
[   40.308085]  ? set_ipsecrequest+0x310/0x310
[   40.308094]  ? lock_release+0xda0/0xda0
[   40.308101]  ? set_ipsecrequest+0x310/0x310
[   40.308110]  pfkey_process+0x60b/0x720
[   40.308121]  ? pfkey_send_new_mapping+0x11b0/0x11b0
[   40.308126]  ? kasan_check_write+0x14/0x20
[   40.308152]  ? dup_iter+0x1d2/0x260
[   40.308165]  pfkey_sendmsg+0x4d6/0x9f0
[   40.308175]  ? pfkey_spdget+0xb00/0xb00
[   40.308186]  ? selinux_socket_sendmsg+0x36/0x40
[   40.308193]  ? security_socket_sendmsg+0x89/0xb0
[   40.308199]  ? pfkey_spdget+0xb00/0xb00
[   40.308209]  sock_sendmsg+0xca/0x110
[   40.308217]  ___sys_sendmsg+0x75b/0x8a0
[   40.308229]  ? copy_msghdr_from_user+0x590/0x590
[   40.308236]  ? lock_downgrade+0x980/0x980
[   40.308259]  ? fget_raw+0x20/0x20
[   40.308267]  ? __handle_mm_fault+0x3e20/0x3e20
[   40.308272]  ? vmacache_find+0x5f/0x280
[   40.308285]  ? up_read+0x1a/0x40
[   40.308293]  ? __do_page_fault+0x3d6/0xc90
[   40.308298]  ? get_unused_fd_flags+0x190/0x190
[   40.308311]  ? __fdget+0x18/0x20
[   40.308323]  __sys_sendmsg+0xe5/0x210
[   40.308328]  ? __sys_sendmsg+0xe5/0x210
[   40.308336]  ? SyS_shutdown+0x290/0x290
[   40.308344]  ? __do_page_fault+0xc90/0xc90
[   40.308354]  ? fd_install+0x4d/0x60
[   40.308372]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.308384]  SyS_sendmsg+0x2d/0x50
[   40.308392]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.308397] RIP: 0033:0x43ff59
[   40.308401] RSP: 002b:00007ffd31191678 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
[   40.308408] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff59
[   40.308412] RDX: 0000000000000000 RSI: 00000000205f5000 RDI: 0000000000000003
[   40.308416] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   40.308419] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004018c0
[   40.308423] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.308442] 
[   40.308445] Allocated by task 3155:
[   40.308451]  save_stack+0x43/0xd0
[   40.308455]  kasan_kmalloc+0xad/0xe0
[   40.308461]  __kmalloc_node_track_caller+0x47/0x70
[   40.308466]  __kmalloc_reserve.isra.41+0x41/0xd0
[   40.308470]  __alloc_skb+0x13b/0x780
[   40.308474]  pfkey_sendmsg+0x20f/0x9f0
[   40.308479]  sock_sendmsg+0xca/0x110
[   40.308484]  ___sys_sendmsg+0x75b/0x8a0
[   40.308488]  __sys_sendmsg+0xe5/0x210
[   40.308493]  SyS_sendmsg+0x2d/0x50
[   40.308498]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.308500] 
[   40.308503] Freed by task 1640:
[   40.308507]  save_stack+0x43/0xd0
[   40.308511]  kasan_slab_free+0x71/0xc0
[   40.308516]  kfree+0xca/0x250
[   40.308520]  skb_free_head+0x74/0xb0
[   40.308525]  skb_release_data+0x58c/0x790
[   40.308529]  skb_release_all+0x4a/0x60
[   40.308534]  kfree_skb+0x15d/0x4c0
[   40.308540]  unix_stream_connect+0x876/0x1580
[   40.308545]  SYSC_connect+0x20a/0x480
[   40.308549]  SyS_connect+0x24/0x30
[   40.308554]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.308556] 
[   40.308560] The buggy address belongs to the object at ffff8801c4c5ed40
[   40.308560]  which belongs to the cache kmalloc-512 of size 512
[   40.308565] The buggy address is located 24 bytes inside of
[   40.308565]  512-byte region [ffff8801c4c5ed40, ffff8801c4c5ef40)
[   40.308568] The buggy address belongs to the page:
[   40.308573] page:000000008b61363c count:1 mapcount:0 mapping:00000000bbffc0f0 index:0x0
[   40.308579] flags: 0x2fffc0000000100(slab)
[   40.308586] raw: 02fffc0000000100 ffff8801c4c5e0c0 0000000000000000 0000000100000006
[   40.308592] raw: ffffea00071305a0 ffffea0007130a60 ffff8801db000940 0000000000000000
[   40.308595] page dumped because: kasan: bad access detected
[   40.308597] 
[   40.308600] Memory state around the buggy address:
[   40.308604]  ffff8801c4c5ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.308608]  ffff8801c4c5ee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.308612] >ffff8801c4c5ef00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   40.308615]                                            ^
[   40.308619]  ffff8801c4c5ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.308623]  ffff8801c4c5f000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.308626] ==================================================================
[   40.308628] Disabling lock debugging due to kernel taint
[   40.308640] Kernel panic - not syncing: panic_on_warn set ...
[   40.308640] 
[   40.308644] CPU: 1 PID: 3155 Comm: syzkaller279273 Tainted: G    B            4.15.0-rc2+ #149
[   40.308646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.308647] Call Trace:
[   40.308651]  dump_stack+0x194/0x257
[   40.308656]  ? arch_local_irq_restore+0x53/0x53
[   40.308662]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.308668]  ? vsnprintf+0x1ed/0x1900
[   40.308672]  ? pfkey_add+0x15b0/0x3270
[   40.308677]  panic+0x1e4/0x41c
[   40.308681]  ? refcount_error_report+0x214/0x214
[   40.308686]  ? add_taint+0x1c/0x50
[   40.308690]  ? add_taint+0x1c/0x50
[   40.308695]  ? pfkey_add+0x1634/0x3270
[   40.308699]  kasan_end_report+0x50/0x50
[   40.308702]  kasan_report+0x144/0x340
[   40.308708]  check_memory_region+0x137/0x190
[   40.308712]  memcpy+0x23/0x50
[   40.308716]  pfkey_add+0x1634/0x3270
[   40.308729]  ? set_ipsecrequest+0x310/0x310
[   40.308734]  ? lock_release+0xda0/0xda0
[   40.308738]  ? set_ipsecrequest+0x310/0x310
[   40.308743]  pfkey_process+0x60b/0x720
[   40.308749]  ? pfkey_send_new_mapping+0x11b0/0x11b0
[   40.308752]  ? kasan_check_write+0x14/0x20
[   40.308765]  ? dup_iter+0x1d2/0x260
[   40.308772]  pfkey_sendmsg+0x4d6/0x9f0
[   40.308777]  ? pfkey_spdget+0xb00/0xb00
[   40.308783]  ? selinux_socket_sendmsg+0x36/0x40
[   40.308787]  ? security_socket_sendmsg+0x89/0xb0
[   40.308791]  ? pfkey_spdget+0xb00/0xb00
[   40.308795]  sock_sendmsg+0xca/0x110
[   40.308801]  ___sys_sendmsg+0x75b/0x8a0
[   40.308807]  ? copy_msghdr_from_user+0x590/0x590
[   40.308812]  ? lock_downgrade+0x980/0x980
[   40.308823]  ? fget_raw+0x20/0x20
[   40.308827]  ? __handle_mm_fault+0x3e20/0x3e20
[   40.308831]  ? vmacache_find+0x5f/0x280
[   40.308838]  ? up_read+0x1a/0x40
[   40.308842]  ? __do_page_fault+0x3d6/0xc90
[   40.308845]  ? get_unused_fd_flags+0x190/0x190
[   40.308853]  ? __fdget+0x18/0x20
[   40.308859]  __sys_sendmsg+0xe5/0x210
[   40.308863]  ? __sys_sendmsg+0xe5/0x210
[   40.308868]  ? SyS_shutdown+0x290/0x290
[   40.308872]  ? __do_page_fault+0xc90/0xc90
[   40.308878]  ? fd_install+0x4d/0x60
[   40.308888]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.308894]  SyS_sendmsg+0x2d/0x50
[   40.308899]  entry_SYSCALL_64_fastpath+0x1f/0x96
[   40.308902] RIP: 0033:0x43ff59
[   40.308904] RSP: 002b:00007ffd31191678 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
[   40.308908] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff59
[   40.308911] RDX: 0000000000000000 RSI: 00000000205f5000 RDI: 0000000000000003
[   40.308913] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   40.308915] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004018c0
[   40.308917] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.330605] Dumping ftrace buffer:
[   40.330608]    (ftrace buffer empty)
[   40.330609] Kernel Offset: disabled
[   41.081777] Rebooting in 86400 seconds..